Is Your iPhone Tracking You?

A Wednesday blog post published on O'Reilly Radar is making the rounds and it says that devices running iOS 4 are gathering all your locations and time stamps and storing that data in an unencrypted manner.

Is Apple tracking your every move via the iPhone and iPad? A Wednesday blog post published on O'Reilly Radar claims that devices running iOS 4 are gathering location and storing it in an unencrypted manner.

"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released," wrote Pete Warden, founder of the Data Science Toolkit, and Alasdair Allan, a senior research fellow at the University of Exeter.

The data is being stored to a file known as "consolidated.db," which includes latitude-longitude coordinates and a timestamp.

"The coordinates aren't always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically around a year's worth of information at this point," Warden and Allan wrote.

The duo speculated that the data collection is erratic. Update times vary and might be triggered by traveling between cells or activity on the phone itself.

But while this data is being stored on your phones and iOS devices, Warden and Allan acknowledge that there is no "evidence to suggest this data is leaving your custody"aka, being sent to Apple. There is also "no immediate harm that would seem to come from the availability of this data."

"But why this data is stored and how Apple intends to use itor notare important questions that need to be explored," they wrote. "The cell phone companies have always had this data, but it takes a court order to access it. Now this information is sitting in plain view, unprotected from the world. Beyond this, there is even more data that we have yet to look at in depth."

As one commenter on the blog post pointed out, this data collection was first discussed last year. Digital forensic specialist Christopher Vance wrote on his blog that the location data is used as part of iAds, in addition to apps that require location-based data. In a later blog post, however, Vance said "these points are being used not in direct connection with iAds but on your device itself."

Apple insisted that its location-based services exist only to enhance the user experience and that the company does not activate these services until it has received express consent from users. It collects data "anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services," Bruce Sewell, general counsel and senior vice president of legal and government affairs at Apple, wrote in a letter to Reps. Edward Markey and Joe Barton.

"Apple is committed to giving our customers clear notice and control over their information, and we believe our products do this in a simple and elegant way," he said.

The inquiry occured after Apple updated its privacy policy to say that it could "collect, use, and share precise location data, including real-time geographic location of your Apple computer or device."

In the letter, Apple said four Apple devices collected geographic location data: the iPhone 3G, the iPhone 3GS, the iPhone 4, and the iPad Wi-Fi + 3G. To a lesser extent, older iPhone models, the iPad Wi-Fi, the iPod touch, Mac computers with Snow Leopard, and Safari 5 also collect similar information.

Apple started collecting location-based data and Wi-Fi information in January 2008.

"Apple has always provided its customers with the ability to control the location-based service capabilities of their devices," Sewell said. "In fact, Apple now provides customers even greater control over such capabilities for devices running the current version of Apple's mobile operating system, iOS 4."

With iOS 4, customers can pick and choose the apps with which they do not want to share location information, even if the global, location-based capabilities on their device are turned on, Apple said. An arrow icon, meanwhile, alerts iOS 4 users if an app is using or has recently used location-based information.

Warden and Allan seemed to take issue with the fact that the data collected was easily accessible. They built an app that helps you look at your own data, and suggested that concerned users encrypt their backups via iTunes. To do so, click on your device within iTunes and then check "Encrypt iPhone Backup" under the "Options" area.

A more detailed look at Warden and Allan's investigation is in the video below.

The news is also interesting in light of a case out of Michigan where police officers have been accused of secretly extracting data from peoples' cell phones during routine stops. The American Civil Liberties Union of Michigan has urged the Michigan State Police (MSP) to release information about the alleged practice.

Editor's Note: This story was updated at 2:30pm Eastern with additional info from Vance.

Chloe Albanesius has been with PCMag.com since April 2007, most recently as Executive Editor for News and Features. Prior to that, she worked for a year covering financial IT on Wall Street for Incisive Media. From 2002 to 2005, Chloe covered technology policy for The National Journal's Technology Daily in Washington, DC. She has held internships at NBC's Meet the Press, washingtonpost.com, the Tate Gallery press office in London, Roll Call, and Congressional Quarterly. She graduated with a bachelor's degree in journalism from American University...
More »